github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sns/topic_encryption_with_cmk.go (about)

     1  package sns
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckTopicEncryptionUsesCMK = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0136",
    14  		ShortCode:   "topic-encryption-use-cmk",
    15  		Summary:     "SNS topic not encrypted with CMK.",
    16  		Explanation: `Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.`,
    17  		Impact:      "Key management very limited when using default keys.",
    18  		Resolution:  "Use a CMK for SNS Topic encryption",
    19  		Provider:    providers.AWSProvider,
    20  		Service:     "sns",
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html",
    23  		},
    24  		Severity: severity.High,
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformTopicEncryptionUsesCMKGoodExamples,
    27  			BadExamples:         terraformTopicEncryptionUsesCMKBadExamples,
    28  			Links:               terraformTopicEncryptionUsesCMKLinks,
    29  			RemediationMarkdown: terraformTopicEncryptionUsesCMKRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationTopicEncryptionUsesCMKGoodExamples,
    33  			BadExamples:         cloudFormationTopicEncryptionUsesCMKBadExamples,
    34  			Links:               cloudFormationTopicEncryptionUsesCMKLinks,
    35  			RemediationMarkdown: cloudFormationTopicEncryptionUsesCMKRemediationMarkdown,
    36  		},
    37  		CustomChecks: scan.CustomChecks{},
    38  		RegoPackage:  "",
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		for _, topic := range s.AWS.SNS.Topics {
    42  			if topic.Encryption.KMSKeyID.EqualTo("alias/aws/sns") {
    43  				results.Add(
    44  					"Topic encryption does not use a customer managed key.",
    45  					topic.Encryption.KMSKeyID,
    46  				)
    47  			} else {
    48  				results.AddPassed(&topic)
    49  			}
    50  		}
    51  		return
    52  	},
    53  )